As fast as companies have raced to modernize, legacy technology still lives within most enterprise systems.
Whether older systems persist due to budget constraints, or they’re so vital that replacing them is a daunting task, legacy software and devices present potential security risks.
Legacy technology may not be supported with security updates anymore, or devices were acquired so long ago that they were built before ransomware was a looming threat.
No matter why legacy tech sits in a system, companies need to protect those stacks and devices before they become a gateway for systemwide attacks.
The value of security isn’t measured in how many defense solutions a company buys, said Brian Scriber, VP of security and privacy technologies at CableLabs. “You measure it by what’s your weakest point of entry.”
Legacy technology, modern risk
It’s not surprising that many older devices aren’t capable of modern day protections: some threats didn’t exist when they were created. Older devices were often “built in an area where you didn’t have awareness of things like logging minimum or cryptographic support,” said Scriber.
Companies may have also bought software — whether they know it or not — that uses older technology. “Even though you have that vendor’s most recent solution, you may not have everything in that supply chain,” he said.
It’s also possible that some companies and organizations may not have the talent to figure out how to protect legacy technology, said Betsy Soehren Jones, partner at West Monroe.
The talent crunch has been a common problem for utility sector companies, which often use analog technology. Entities that are focused on keeping the lights on may not have resources dedicated to identifying how these critical systems are exposed to potential cybersecurity risks.
“I don’t know if it’s necessarily a symptom of ‘we don’t know,’ it’s [about] ‘do you have the workforce on staff or can you find a vendor you trust to mitigate or remediate what’s in your environment?’” Soehren Jones said.
Visibility into legacy tech
When it comes to software, leaders should understand everything that exists in their stack, including the pieces that make up their vendors’ software.
This approach requires having software bills of materials for everything, said Scriber. That way, organizations can have better visibility into their tech stack vulnerabilities. If an attacker exploits security gaps in vendor software, a CISO can quickly identify it, and stop it.
Inventory also needs to be a priority, he added.
“The quickest and best way to get real results is to understand what you have in your network, how old are the devices, how old is the firmware in the device, when was it updated, what software is included in here, and what things might be lurking under the covers,” Scriber said.
Companies should also have strong intrusion detection systems, so that if something does start poking at legacy tech, or legacy software starts acting out of pattern, CISOs can identify and stop threats.
For very old devices, like those that are part of critical infrastructure, basic cybersecurity hygiene can make a difference, said Soehren Jones. “It sounds so simple…but when was the last time somebody changed the password on it? It might have actually been five to 10 years,” she said.
Some older devices may not be able to take patches "because, if you patch it, is it going to break the whole system?” she said. In those cases, devices should not be internet-facing without firewall protection.
There has been additional investment in software within sectors that have long been ignored, she said, which means that there may be solutions now that didn’t exist a few years ago. For example, it might have once made sense to have three separate systems tied together, but one solution could now replace them all.
While focus has been put on modernizing older software and devices, exactly what makes a device “legacy” may not be its age, said Scriber. Some newer devices may have been brought to market with a speed-over-safety priority, or they used software older than 10 years old.
“It’s kind of like buying a new car … you drive it off the lot and suddenly you now have a used car,” he said. “As soon as you deploy them, they become legacy devices.”
